Once Theoretical Crypto Attack Against HTTPS Turns to Near Reality

Nearly a third of the web’s encrypted traffic connections can be cracked using a once theoretical attack that’s growing increasingly possible, computer scientists warned Wednesday. They believe an attack technique used against cryptographic cipher known as RC4, can also be used to break into wireless networks protected by the WiFi Protected Access Temporal Key Integrity Protocol (TKIP).

Cryptography researchers have long known statistical biases in RC4 make it entirely possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. To prove this, a team of scientists back in 2013 devised an attack plan that exploited the weakness, which required about 2,000 hours to correctly guess the characters contained within a typical authentication cookie. Refining their method, a new team of researchers found it possible to carry out the same attack in just around 75 hours with a staggering 94 percent accuracy rate. Similar attacks against WPA-TKIP protected networks exist and take only around an hour to successfully crack.

Researcher have warned the only counter measure against their attack, dubbed RC4 NOMORE, is to cease using RC4 altogether. Waiting for its eventual death as we did with the decade old insecure SSLv3 protocol.

“Our work significantly reduces the execution time of performing an attack, and we consider this improvement very worrisome,” researchers wrote on their official RC4 NOMORE detailing. “Considering there are still biases which are unused, that more efficient algorithms can be implemented, and better traffic generation techniques can be explored, we expect further improvements in the future.”

Research warns that the attack could be exploited by hackers who wish to monitor the connection between a target and an HTTPS-protected website or protected network. To exploit an HTTPS connection, an attacker would first be required to use a separate non-HTTPS-protected domain to inject harmful Javascript code into the targeted computer, forcing it to repeatedly transmit the encrypted authentication cookie in a rapid response, tricking the computer. While observing some 9*227 encryptions of the target cookie, an attacker could guess the contents of the cookie with 94 percent accuracy, researchers tout of the attack. If exploited properly, it even has the ability to make the target transmit 4,450 web requests per second. The attack alone takes around 75 hours, although in some cases the time could be minimized to 54 hours.

Citing back to when the attack was theoretical, per-say, researchers required 12*230 encryptions of a cookie and could only generate around 1,700 requests per second. A near glaring 3,000 request per-second gap.

An attack against WPA-TKIP-protected networks exists and only takes an hour to execute, allowing attackers to inject and decrypt arbitrary packets along the way. Attackers RC4 NOMORE attack is demonstrated in the proof-of-concept video:

Not only can RC4 NOMORE be used to decrypt cookies and wifi packets, but also any plaintext data that is caught up and transmitted through the encrypted stream. The technique works by injecting data values that are sure to exist inside the encrypted payload, such as headers that already exist in every authentication cookie or traffic packet. The attack will then cycle through every possible combination of characters for the unknown values and use the statistical biases to identify which combinations are most possible.

As of now, the attack against HTTPS-protected websites remains strictly theoretical, given the required 75 hours. However, what’s more concerning is pushing out RC4 as it’s not a long-term solution, and network administrators need to realize this. An estimated 30 percent of the entire HTTPS encrypted web still relies on the age-old RC4.

“We consider it surprising this is possible using only known biases, and expect these types of attacks to further improve in the future,” the security researchers wrote in a research paper (PDF) scheduled to be presented at next month’s 24th annual Usenix Security Symposium. “Based on these results, we strongly urge people to stop using RC4.”